Ashish Kotha

**Name of the Vulnerable Software and Affected Versions** Atlassian Crowd versions 3.x.x through 5.x.x before 5.0.3 Atlassian Crowd versions 4.x.x before 4.4.4 **Description** The issue is related to errors during the authentication procedure in the Atlassian Crowd data processing product's REST API. This can allow a remote attacker to elevate their privileges. The vulnerability can be exploited by calling privileged endpoints in Crowd's REST API under the `usermanagement` path. However, exploitation is limited to IPs specified in the crowd application allowlist in the Remote Addresses configuration, which is empty by default. **Recommendations** For versions 3.x.x, update to a version after 5.0.3 to resolve the issue. For versions 4.x.x before 4.4.4, update to version 4.4.4 or later to resolve the issue. For versions 5.x.x before 5.0.3, update to version 5.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the `usermanagement` path in the REST API to minimize the risk of exploitation.